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b.) Remarks 

Claims 1-32 and 34-35 are pending in this application. Claims 1,21, and 34 have 
been amended in various particulars as indicated hereinabove. New Claim 35 has been 
added to altematively define the invention. Claim 33 is cancelled without prejudice or 
disclaimer. 

Claims 1-34 are provisionally rejected under 35 U.S.C. 101 as claiming the same 
invention as that of claims 1-34 of copending Application No. 10/887,213. This rejection 
is respectfully traversed for the following reasons. 

The present claims describe a different invention from those in the 10/887,213 
application. For example, authentication is not mentioned in the claims of the instant 
application. Thus this rejection should be withdrawn. 

Claim 21 was rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter that applicant 
regards as the invention. This rejection is respectfully traversed for the following reasons. 

Revised claim 21 should address the comments relative to this claim in the 
pending Office Action. Withdrawal is requested. 

Turning now to the merits and for background, embodiments of the present 
invention are directed to protecting a communications network, such a computer network, 
from attack, such as from self-propagating code or other breaches to security policies. 
The network is divided into "compartments" that are separated by access control devices, 
such as firewalls. The access control devices are then used to stop the security breach 
such as the spread of self-propagating attack code, the "zero-day" worms, for example. 
However, the access control devices are configured such that upon activation, legitimate 
in-use network services will not be jeopardized. 

The invention capitalizes on the insight that much of the problem with zero-day 
worms and other attacks originates from network resources that are not in normal use. By 
blocking only traffic that is atypical for a particular network, for instance, database 
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connections between two desktop systems that never normally speak a database protocol, 
the system is able to generate blocking actions that stifle the majority of attacks. On the 
other hand, the system is much less likely to disrupt business processes, since access 
control devices will still permit network communications that exhibit behavior that are 
characteristic of normal communication patterns on the network. 

Claims 1-10, 12-14, 18, 21-29 and 32 were rejected under 35 U.S.C. 103(a) as 
being unpatentable over Copeland (US PgPub 2002/0144156). In related rejections, 
claims 11, 16-17, 19-20, 30-31 and 33-34 were rejected under 35 U.S.C. 103(a) as being 
unpatentable over Copeland (US 2002/0144156) and further in view of Yadav (US PgPub 
2003/0149888); and claim 15 was rejected under 35 U.S.C. 103(a) as being unpatentable 
over Copeland (US 2002/0144156) and further in view of Day (US Patent 7,017,186). 

These rejections are respectfully traversed for the following reasons. 

The system described in the Copeland application has some similarities to the 
system of the instant application. The Copeland application describes, for example, port 
profiling and trying to assess when computers are under attack. 

What the system of the Copeland application lacks is something akin to the 
claimed access control devices and control plane, which instructs the access control 
devices to allow network communications between the compartments of the computer 

network based on a usage model describing legitimate network communications while 
restricting other network communications between the compartments, in response to 
attack. See also new claim 35. 

In a similar way, claim 2 1 , as amended, describes generating instructions to 
access control devices compartmentalizing the computer network in response to the 
characteristics of the attack, wherein the step of generating instructions to the access 
control devices comprises formulating pass and/or blocking rules for the access control 
devices in response to protocol characteristics and/or port characteristic of the attack, and 
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issuing the instructions to the access control device which then compartmentalize the 
computer network by implementing the pass and/or blocking rules. 

In short, the present claimed invention responds to an attack by causing access 
control devices, such as firewall, to take specific claimed actions. 

In contradistinction, the Copeland application seems to issue "alarms." For 
example cited paragraph [0066] fi-om the Copeland application provides: 

[006^!] Qfice the port prolik is accurate, the port profiling 
eog.i.n& 155 coriipares the two lists to detect operalions thai 
are- ''Oul of Profile" md provide an dntm to the system 
operator. An Out of Profile- operation cm indicate the 
o|>4;jration of a Trojan Hoise prograai on the host, or the 
existence of a oon-approved network application that has 
been instalkd. 

Similarly cited paragraph [0166] fi^om the Copeland application only provides that 
packets fi-om a compromised host are dropped: 

[0,1^6] The alert manager 630 looks for hosls whose 
oetwork usage iodicales Qui of Profile neiwork services. Th.e 
new alaro:^ cortditioos can cause ioi mediate operator ootili- 
calion by an opcialor Qotiiication proc«-ss 642, These con- 
ditions can be bighlightcd on. the user interface, and. cause 
SNMP trap oiessage-s to be sent to a network monitor such 
as IIP Openview, and,/or email messages to the network 
admmistrator which in tmrn may cause messages to be sent 
to beeptjrs or cell pbooes;. Messages can also be sent to cause 
automated devices stich as a firewall, manager 644 to drop 
packets going to or from an olleodmg host, li will thus be 
appreciat^^d that the present invention advantageously oper- 
ates io coojuoctlon wiili firewalls and other network security 
devices and proce^kses to provide additional protection for an 
entity's a)mpuier network and computer resources. 
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The Copeland application does not suggest that the network should be 
reconfigured to continue to allow legitimate network communications described by a 
usage model while simultaneously restricting other network communications between the 
compartments, in response to attack, as claimed. 

Thus, it is respectfully asserted that the present rejection should be withdrawn. 

It is believed that the present application is in condition for allowance. A Notice 
of Allowance is respectfully solicited. Should any questions arise, the Examiner is 
encouraged to contact the undersigned. 



Respectfully submitted, 



B y /grant houston/ 
J. Grant Houston 
Registration No.: 35,900 
Tel.: 781 863 9991 
Fax: 781 863 9931 

Lexington, Massachusetts 02421 
Date: September 6, 2007 
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